rule Linux_Exploit_Sorso_ecf99f8f {
    meta:
        author = "Elastic Security"
        id = "ecf99f8f-1692-41ee-a70d-8c868e269529"
        fingerprint = "d2c0ccceed8a76d13c8b388e5c3b560f23ecff2b1b9c90d18e5e0d0bbdc91364"
        creation_date = "2021-04-06"
        last_modified = "2021-09-16"
        threat_name = "Linux.Exploit.Sorso"
        reference_sample = "c0f0a7b45fb91bc18264d901c20539dd32bc03fa5b7d839a0ef5012fb0d895cd"
        severity = 100
        arch_context = "x86"
        scan_context = "file, memory"
        license = "Elastic License v2"
        os = "linux"
    strings:
        $a = { 6E 89 E3 50 54 53 50 B0 3B CD 80 31 C0 B0 01 CD }
    condition:
        all of them
}

rule Linux_Exploit_Sorso_91a4d487 {
    meta:
        author = "Elastic Security"
        id = "91a4d487-cbb6-4805-a4fc-5f4ff3b0e22b"
        fingerprint = "4965d806fa46b74023791ca17a90031753fbbe6094d25868e8d93e720f61d4c0"
        creation_date = "2021-04-06"
        last_modified = "2021-09-16"
        threat_name = "Linux.Exploit.Sorso"
        reference_sample = "c0f0a7b45fb91bc18264d901c20539dd32bc03fa5b7d839a0ef5012fb0d895cd"
        severity = 100
        arch_context = "x86"
        scan_context = "file, memory"
        license = "Elastic License v2"
        os = "linux"
    strings:
        $a = { 80 31 C0 43 53 56 50 B0 5A CD 80 31 C0 50 68 2F }
    condition:
        all of them
}

rule Linux_Exploit_Sorso_61eae7dd {
    meta:
        author = "Elastic Security"
        id = "61eae7dd-3335-4a50-b70b-c7c5657fc540"
        fingerprint = "8ada74a60e30a26f7789bfdf00b3373843f39dc7d71bd6e1b603a7a41b5a63e9"
        creation_date = "2021-04-06"
        last_modified = "2021-09-16"
        threat_name = "Linux.Exploit.Sorso"
        reference_sample = "c0f0a7b45fb91bc18264d901c20539dd32bc03fa5b7d839a0ef5012fb0d895cd"
        severity = 100
        arch_context = "x86"
        scan_context = "file, memory"
        license = "Elastic License v2"
        os = "linux"
    strings:
        $a = { 69 89 E3 50 53 89 E1 B0 0B CD 80 31 C0 B0 01 CD }
    condition:
        all of them
}

